Auditing Registry Access

Previous page
Table of content
Next page

Auditing registry access is a great way to track down registry settings, and it's one of the methods that I discuss in Chapter 8, "Finding Registry Settings." It's also a reasonable way to monitor access to sensitive settings. The problem with auditing the registry is that you must either get very specific about which key you're auditing or pay a severe performance penalty by auditing too much of the registry. It's a fine line between getting the information you need and grinding the computer to a halt.

Auditing a key is a three-step process. First you must enable Audit Policy. You can do that on the network using Group Policy, but that seems silly considering the scope of the performance impact. If you're using auditing as a troubleshooting tool or to track down a setting, turn on Audit Policy locally. Click Start, Control Panel, Performance And Maintenance, Administrative Tools, and Local Security Policy. In the left pane, under Local Policies, click Audit Policy. In the right pane, double-click Audit Object Access, and then select the Success and Failure check boxes. After you've enabled Audit Policy, use Regedit to audit individual keys:

  1. In Regedit, click the key you want to audit.

  2. On the Edit menu, click Permission; then click Advanced.

  3. On the Auditing tab, shown in Figure 7-3, click Add.

    click to expand
    Figure 7-3: Audit keys sparingly because doing so can significantly impact performance.

  4. In the Select Users, Computers, Or Groups dialog box, click Locations, and then click the computer, domain, or organizational unit in which you want to look for the user or group you want to audit.

  5. In the Enter The Object Names To Select box, type the name of the user or group you want to add to the key's audit list, and then click OK.

  6. In the Auditing Entry For Name dialog box, in the Access list, select both the Successful and Failed check boxes next to the activities for which you want to audit successful and failed attempts. These correspond to the permissions you learned about in the section tilted "Setting Keys' Permissions," earlier in this chapter:

    • Full Control

    • Query Value

    • Set Value

    • Create Subkey

    • Enumerate Subkeys

    • Notify

    • Create Link

    • Delete

    • Write DAC

    • Write Owner

    • Read Control

After enabling Audit Policy and auditing specific keys, check the results using Event Viewer. To open Event Viewer, click Start, Control Panel, Performance And Maintenance, Administrative Tools, and Event Viewer. In Event Viewer's left pane, click Security. You see each hit in the right pane, and the most recent hits are at the top of the list. Double-click any entry to see more details. The Event Properties dialog box tells you what type of access Windows XP detected, the object type, and the process that accessed the key or value. Chapter 8, "Finding Registry Settings," shows you how to use this information to figure out where Windows XP or a program stores certain settings in the registry.


Previous page
Table of content
Next page
Microsoft Windows XP Registry Guide
Microsoft Windows XP Registry Guide (Bpg-Other)
ISBN: 0735617880
EAN: 2147483647
Year: 2005
Pages: 185
Authors: Jerry Honeycutt
BUY ON AMAZON
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
A Practitioners Guide to Software Test Design
C & Data Structures (Charles River Media Computer Engineering)
Programming Microsoft ASP.NET 3.5
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Java Concurrency in Practice
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy